Virginia was the second US state to enact a comprehensive consumer privacy law, following California. The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021 and took effect on January 1, 2023. The law has since become the model that most other state privacy laws have followed.
Virginia: The Model for US State Privacy Laws
While California was first with the CCPA, Virginia’s VCDPA has arguably had more influence on the wave of state privacy laws that followed. Colorado, Connecticut, Utah, Indiana, Montana, and many other states have largely adopted the Virginia model rather than California’s approach.
Why did states follow Virginia instead of California?
- Business-friendly thresholds: Virginia uses clear, numeric thresholds (100,000 consumers OR 25,000 consumers + 50% revenue from data sales) that are easier for businesses to assess
- No private right of action: Only the Attorney General can enforce the law, reducing litigation risk for businesses
- 30-day cure period: Businesses get a chance to fix violations before facing penalties
- Opt-out model: Unlike GDPR’s opt-in approach, Virginia allows data processing by default unless consumers object
- Clear exemptions: Carve-outs for employee data, B2B contacts, and data already regulated by federal laws
This framework has become the de facto template for state privacy legislation in the United States.
How Virginia Compares to Other State Privacy Laws
The following table compares Virginia’s VCDPA with other major US state privacy laws:
| Feature | Virginia (VCDPA) | California (CCPA/CPRA) | Colorado (CPA) | Connecticut (CTDPA) | Utah (UCPA) |
|---|---|---|---|---|---|
| Effective Date | Jan 1, 2023 | Jan 1, 2020 (CCPA) Jan 1, 2023 (CPRA) | Jul 1, 2023 | Jul 1, 2023 | Dec 31, 2023 |
| Consumer Threshold | 100,000 consumers | $25M revenue OR 50,000 consumers | 100,000 consumers | 100,000 consumers | 100,000 consumers |
| Alternative Threshold | 25,000 + 50% revenue from data sales | 50% revenue from data sales | 25,000 + any revenue from data sales | 25,000 + 25% revenue from data sales | 25,000 + 50% revenue from data sales |
| Private Right of Action | No | Limited (data breaches only) | No | No | No |
| Cure Period | 30 days (permanent) | None (CPRA removed it) | 60 days (sunsets 2025) | 60 days (sunsets 2025) | 30 days (permanent) |
| Enforcement | AG only | AG + CPPA | AG only | AG only | AG only |
| Right to Correct | Yes | Yes | Yes | Yes | No |
| Right to Opt-Out of Sales | Yes | Yes | Yes | Yes | Yes |
| Right to Opt-Out of Profiling | Yes | Yes | Yes | Yes | No |
| Universal Opt-Out Required | No | Yes | Yes (from Jul 2024) | Yes (from Jan 2025) | No |
| Data Protection Assessments | Required | Required (as risk assessments) | Required | Required | Not required |
| Maximum Penalty per Violation | $7,500 | $7,500 | $20,000 | $5,000 | $7,500 |
What Is the VCDPA?
The Virginia Consumer Data Protection Act gives Virginia residents rights over their personal data and establishes obligations for businesses that collect and process that data. The law follows an opt-out model similar to many other state privacy laws, meaning businesses can generally process personal data without consent unless the consumer objects.
Enforcement is handled exclusively by the Virginia Attorney General. There is no private right of action, and the law does not create a dedicated privacy agency.
Does It Apply to Your Business?
The VCDPA applies to businesses that conduct business in Virginia or target products and services to Virginia residents. To be covered, a business must also meet at least one of two thresholds during a calendar year:
Threshold 1: Control or process the personal data of 100,000 or more Virginia consumers.
Threshold 2: Control or process the personal data of at least 25,000 Virginia consumers AND derive more than 50% of gross revenue from the sale of personal data.
The law applies to consumers acting in an individual or household context. It does not cover people acting in a commercial or employment context, so employee data and business-to-business contacts are generally excluded.
Exemptions
Several categories of data and entities are exempt from the VCDPA:
- Data regulated by HIPAA (health information)
- Data covered by the Gramm-Leach-Bliley Act (financial institutions)
- Data subject to the Fair Credit Reporting Act
- Employee, job applicant, and contractor data
- Publicly available information
- De-identified data
Key Consumer Rights
Virginia residents have the following rights:
- Right to confirm whether a business is processing their personal data
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete their personal data
- Right to obtain a portable copy of their data
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling that produces legal or significant effects
Businesses must respond to consumer requests within 45 days, with one 45-day extension available when reasonably necessary.
Business Obligations
Covered businesses must:
- Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose
- Implement reasonable security measures
- Provide clear privacy notices
- Obtain consent before processing sensitive data
- Conduct data protection assessments for certain processing activities (targeted advertising, sales, profiling, sensitive data)
Sensitive data under the VCDPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic data, biometric data, children’s data, and precise geolocation.
Enforcement and Penalties
The Virginia Attorney General has exclusive enforcement authority. The AG’s office established a Consumer Privacy Unit specifically to handle VCDPA enforcement and consumer complaints.
Businesses receive a 30-day right to cure any alleged violation before enforcement action proceeds. Unlike some other states (Colorado and Connecticut), Virginia’s cure period is permanent and will not expire.
Penalties are:
- Up to $7,500 per intentional violation
- Up to $2,500 per unintentional violation
Each affected consumer counts as a separate violation. A violation affecting 100 consumers could result in penalties up to $750,000. All fines and costs go to the Consumer Privacy Fund, which supports ongoing enforcement.
Enforcement status: As of early 2026, the Virginia Attorney General has not announced any public enforcement actions or settlements under the VCDPA. This contrasts with California, where the CPPA has announced multiple enforcement cases. However, the AG’s Consumer Privacy Unit is actively receiving and investigating complaints—Virginians who believe their data rights are being violated can file complaints via the AG’s consumer protection portal.
2025 Amendments: Children’s Privacy and Reproductive Health
Virginia has amended the VCDPA multiple times to strengthen protections:
Effective January 1, 2025: Additional requirements apply to controllers processing personal data of children under 13 years old (HB707/SB361).
Effective January 1, 2026: New provisions require social media platforms with “addictive feeds” to verify that users are not minors under 18 or obtain verifiable parental consent (SB 854).
Effective July 1, 2025: New protections for reproductive and sexual health information, requiring heightened consent requirements for processing such data.
Key Dates
- 2 March 2021: VCDPA signed into law
- 1 January 2023: VCDPA took effect
- 1 January 2025: Children’s privacy amendments (under 13) took effect
- 1 July 2025: Reproductive and sexual health data protections took effect
- 1 January 2026: Social media age verification requirements take effect
Frequently Asked Questions
How is the VCDPA different from the CCPA?
The main differences are: (1) Virginia uses consumer count thresholds while California includes a revenue threshold ($25M); (2) Virginia has no private right of action while California allows limited private lawsuits for data breaches; (3) Virginia has a permanent 30-day cure period while California eliminated cure rights under CPRA; (4) California has a dedicated enforcement agency (CPPA) while Virginia relies solely on the Attorney General.
Does the VCDPA apply to small businesses?
Most small businesses are not covered. You must process data of at least 100,000 Virginia consumers annually, or process data of 25,000+ consumers while earning more than half your revenue from data sales. Many small and medium businesses fall below these thresholds.
Can consumers sue businesses for VCDPA violations?
No. The VCDPA has no private right of action. Only the Virginia Attorney General can bring enforcement actions. Consumers can file complaints with the AG’s office, but cannot sue businesses directly for privacy violations under this law.
What is the 30-day cure period?
Before taking enforcement action, the Attorney General must provide written notice of alleged violations and give the business 30 days to fix (“cure”) the problem. If cured and the business provides written confirmation, no enforcement action proceeds. Unlike Colorado and Connecticut, Virginia’s cure period is permanent.
Do I need to conduct data protection assessments?
Yes, if you engage in certain high-risk processing activities: targeted advertising, selling personal data, profiling that presents risks to consumers, or processing sensitive data. These assessments must weigh the benefits of processing against potential risks to consumers.
How do I file a VCDPA complaint?
Virginia residents can file complaints with the Attorney General’s Consumer Protection Section. Contact the Consumer Protection Hotline at 1-800-552-9963 (within Virginia) or 804-786-2042 (Richmond area/out-of-state), or file online through the AG’s complaint portal.
Where to Find Official Resources
- Full legal text: Virginia Code Chapter 53 – Consumer Data Protection Act
- Virginia Attorney General summary: VCDPA Summary (PDF)
- File a complaint: Virginia AG Consumer Protection
Related US State Privacy Laws
For more information about other US state privacy laws, see our related guides:
- California CCPA/CPRA: 101 – What You Need to Know
- Colorado Privacy Act: 101 – What You Need to Know
- Connecticut Data Privacy Act: 101 – What You Need to Know
- Indiana Consumer Data Protection Act: 101 – What You Need to Know
- Utah Consumer Privacy Act: 101 – What You Need to Know
- Texas Data Privacy and Security Act: 101 – What You Need to Know
- Oregon Consumer Privacy Act: 101 – What You Need to Know
For GDPR training and compliance guidance, see: GDPR Training Requirements: Who Needs to Do GDPR Training?
Getting Started
Virginia’s VCDPA uses clear threshold tests that make it straightforward to determine applicability. If your business processes personal data of 100,000 or more Virginia consumers annually, or meets the 25,000 consumer threshold while earning over half your revenue from data sales, you are covered.
Review your data collection practices against the purpose limitation and data minimization requirements. Ensure you have consent mechanisms in place for any sensitive data processing, and consider whether you need to conduct data protection assessments for targeted advertising or profiling activities.
If you’re already compliant with Colorado, Connecticut, or Utah privacy laws, you’re likely well-positioned for VCDPA compliance given the similarities between these laws.
